httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vadim Chekan <>
Subject Re: LDAP authentication: non-anonymous bind
Date Fri, 29 Jan 2010 06:12:38 GMT
Lars Kruse wrote:
> Hi,
> the attached patch adds a second option for non-anonymous binds to the
> authnz_ldap module. Please consider it for adoption.

I've applied it to 2.2.14 today and tested on windows (AD).
It can't bind if the exact ldap folder is unknown.

Let's say we have users not in OU=Users, but in OU=Developers and OU=QA.
In order for developer to authenticate http would have to bind to AD 
with search base "OU=Developers,dc=company,dc=com". But in order for QA 
person, searach base should be different: "QA=Developers,dc=company,dc=com".

Let's say we do search by sAMAccountName. Then with current approach the 
search base generate: "sAMAccountName=<user name>,dc=company,dc=com".
Such search base does not exist.

In order to search in subfolders, search base should be static, meaning 
set in config file. And user name (variable part) should go into filter. 
Then it will be possible to search in "dc=company,dc=com" including 
subfolders by filter "(&(objectClass=user)(sAMAccountName=<user name>)"

I managed to make it working (dirty hack):
I bind with username as is (must be <user name>, and 
attribute in AuthLdapUrl should be set to "userPrincipalName".
So I changed the code:
- sec->binddn = apr_psprintf(r->pool, "%s=%s,%s", sec->attribute, user, 
+ sec->binddn = apr_psprintf(r->pool, "%s", user);

> The current situation:
> The authnz_ldap module supports only one kind of non-anonymous bind to the ldap
> server: by specifying the username ("binddn") and password ("bindpw") in an
> apache config file. This is obviously not a very pretty thing, since you need
> to take good care for file permissions (as an admin) and also users may feel a
> little bit uncomfortable to put their plaintext login data into an htaccess
> file.

Now, if we are at it, can we discuss encryption? Authnz_ldap will 
request AD in plain text. Not good. Without AuthLDAPAuthOnBind only 
single pseudo-user account was compromised with in ON, everybody's 
account will travel across the network in plain text, even if you 
connect to https via ssl!

I played a little bit with Apache Directory Studio, and I could connect 
to AD only in 2 cases.
	No encryption; Simple Authentication (plain text)
	No encryption; Digest-md5 (SASL)

Any chance we can leverage digest-md5 authentication method?
Othervise I would allow only ssl-emabled connection to AD. May be with 
some option "enable plain text if you know what you are doing".


View raw message